This section lists generic use cases along with the tools that are used to perform the integration.

Use Case	Solution	Minimum Supported Threat Defense Release	More Information
You want to unify visibility and correlate detections across multiple telemetry sources, prioritize threats based on the greatest risk, and enable security analysts to take rapid and effective action on what requires urgent attention.	Cisco XDR	6.4	Integrate with Cisco XDR
You want to stream host, discovery, correlation, compliance white list, intrusion, user activity, file, malware, and connection data from a Management Center.	Cisco Event Streamer (eStreamer)	6.0	Integrate with Cisco Event Streamer
You want to use Splunk to store threat and traffic data received from the management center and use this data to discover and investigate threats.	Cisco Secure Firewall (formerly known as Firepower) App for Splunk	6.0	Integrate with Splunk
You want to analyze and contain threats to your network by providing insight from multiple security products in QRadar.	Cisco Firepower App for IBM QRadar	6.0	Integrate with IBM QRadar
You want to increase your on premises Firewall event data storage capacity, retain this data for a longer period of time, and export your event data to a Secure Network Analytics appliance.	Cisco Security Analytics and Logging (On Premises)	6.4	Integrate with Cisco Security Analytics and Logging (On Premises)
You want to send Firewall events to the Cisco Secure Cloud Analytics (formerly known as Stealthwatch Cloud) for storage as you need more storage than what an on premises storage can provide, and optionally make your Firewall event data available for security analytics using Cisco Secure Cloud Analytics.	Cisco Security Analytics and Logging (SaaS)	6.4	Integrate with Cisco Security Analytics and Logging (SaaS)

Cisco Extended Detection and Response (Cisco XDR) is a cloud-based solution that unifies visibility by correlating threat detections across multiple telemetry sources and enables security teams to detect, prioritize, and respond to the most sophisticated threats. The solution enhances threat detection and response capabilities by prioritizing incidents based on risk, and enables security analysts to take rapid and effective action on what requires urgent attention.

This integration sends supported events from the threat defense devices to Cisco XDR for analysis.

Note	Cisco XDR is a separately licensed product. It requires an additional subscription beyond the licenses required for Cisco Secure Firewall products. For more information, see Cisco XDR Licenses.

Type of Integrations

You can integrate threat defense devices with Cisco XDR using two methods of integration:

• Direct integration: Supported on management center

• Syslog integration: Supported on management center and device manager

Direct Integration

You can configure your managed threat defense devices to send supported events directly to the Security Services Exchange in Cisco Security Cloud.

• Supported Secure Firewall user role to perform the integration: Administrator.

• Minimum supported threat defense version: 6.4 for the North America cloud and 6.5 for the Europe, APJC, India, and Australia clouds.

• Minimum supported management center version: 7.0.2 through 7.0.x, and 7.2.0 and later.

Note

If you were already sending events to the Cisco Security Cloud using a SecureX subscription, you can continue to send events to Cisco XDR. However, if you now register your management center to the cloud tenancy using your CDO account, your CDO account must have a Security Analytics and Logging license to forward events to Cisco XDR.

The following diagram shows how direct integration works.

	Threat Defense devices generate events.
	Threat Defense devices send supported events to Security Services Exchange.
	Cisco XDR queries Security Services Exchange for sightings related to the IP address being investigated and provides the security analyst with the additional context. The events are automatically or manually promoted as incidents that appear in Cisco XDR.

Syslog Integration

Use syslog to send supported events to the Cisco cloud from Firewall devices.

• Supported Secure Firewall user role to perform the integration: Administrator.

• Minimum supported Secure Firewall release: 6.3 for all cloud regions.

The following diagram shows how syslog integration works.

	Threat Defense device generates events.
	Threat Defense device sends the supported syslog events to the Cisco Security Services Proxy (CSSP) server.
	Every 10 minutes, the CSSP forwards the collected events to the Security Services Exchange.
	Cisco XDR queries Security Services Exchange for sightings related to the IP address being investigated and provides the security analyst with additional context. The events are automatically or manually promoted as incidents that appear in Cisco XDR.

The Cisco Event Streamer (also known as eStreamer) allows you to stream Firewall System events to external client applications.

At the highest level, the eStreamer service is a mechanism for streaming data from the Firewall System to a requesting client. The service can stream the following categories of data:

• Intrusion event data and event extra data

• Correlation (compliance) event data

• Discovery event data

• User event data

• Metadata for events

• Host information

• Malware event data

Note that eStreamer is not supported on NGIPSv, Firewall Services, threat defense virtual, and threat defense. To stream events from these devices, you can configure eStreamer on the Management Center that the device reports to.

There are three major steps to creating and integrating an eStreamer client with a Firewall system:

1. Write a client application that exchanges messages with the Management Center or managed device using the eStreamer application protocol. The eStreamer SDK includes a reference client application.

2. Configure a Management Center or device to send the required type of events to your client application.

3. Connect your client application to the Management Center or device and begin exchanging data.

Supported Firewall user role to perform the integration: Administrator

Minimum supported Firepower release: 6.0

For more information on integrating Firewall with the Cisco Event Streamer, refer the Secure Firewall Management Center Event Streamer Integration Guide.

Cisco Secure Firewall (f.k.a. Firepower) App for Splunk presents security and network event information sent to Splunk from management center running version 6.0 or later. You can discover and investigate threats using threat and traffic data from the management center. Splunk can store far more data than management center can, so you have greater visibility into activity on your network.

This app is a successor to the Cisco Firepower eNcore App for Splunk ( https://splunkbase.splunk.com/app/3663/). You can run both apps in parallel if you choose to do so.

Supported Firewall user role to perform the integration: Administrator

Minimum supported Firepower release: 6.0

Supported Splunk versions and other compatibility information is here: https://splunkbase.splunk.com/app/4388/.

Before you can use this app, your Firewall event data must be in Splunk. To bring your Firewall data into Splunk, use the Cisco Secure eStreamer Client Add-On for Splunk (formerly known as the Cisco eStreamer eNcore Add-on for Splunk.) This technical add-on (TA) is available from https://splunkbase.splunk.com/app/3662/.

Documentation for this TA is available from https://www.cisco.com/c/en/us/support/security/defense-center/products-programming- reference-guides-list.html.

For more information on the Cisco Secure Firewall (f.k.a. Firepower) App for Splunk, see the User Guide for Cisco Secure Firewall (f.k.a. Firepower) App for Splunk.

The Cisco Firepower App for IBM QRadar helps you analyze and contain threats to your network by providing insight from multiple security products in QRadar.

The QRadar Security Information and Event Management (SIEM) tool provides anomaly detection, incident forensics, and vulnerability management.

After you set up the app, you can view event data from your Firewall system in graphical form in the QRadar console.

Supported Firewall user role to perform the integration: Administrator

Minimum supported Firepower release: 6.0

For more information on the Cisco Firepower app for IBM QRadar, see the Integration Guide for the Cisco Firepower App for IBM QRadar.

Cisco Security Analytics and Logging (CSAL) streamlines decision making by aggregating logs from various Cisco devices and providing an intuitive view of network activity. Security Analytics and Logging can be expanded at the user’s discretion, allowing for longer retention and analysis, and even alerts on potential threats found in your firewall and other networking devices.

The Firewall devices can be integrated with CSAL using two methods– On Premises and Security as a Service (SaaS).

Comparison of Cisco Security Analytics and Logging Remote Event Storage Options

On Premises	SaaS
You purchase, license, and set up the storage system behind your firewall.	You purchase licenses and a data storage plan and send your data to the Cisco cloud.
Supported event types: Connection Security Intelligence Intrusion File and Malware LINA	Supported event types: Connection Security Intelligence Intrusion File and Malware
Supports both syslog and direct integration.	Supports both syslog and direct integration.
View all events on the Secure Network Analytics Manager. Cross-launch from management center event viewer to view events on the Secure Network Analytics Manager. View remotely stored connection and Security Intelligence events in management center	View events in CDO or Secure Network Analytics, depending on your license. Cross-launch from management center event viewer.

For more information, see links in the Data Storage chapter in the Cisco Secure Firewall Management Center Device Configuration Guide or online help.